Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 1  
20 Apr 17 12:51
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11622
Re: [OSR-DETECTED-SPAM] RE: SecureBoot/Driver signing for corporate usage

xxxxx@mail.ru wrote: > Undoubtedly the driver must be signed and it is signed. > The problem arose when the sign is not enough in Win10 >1607 and SecureBoot (UEFI BIOS). > The recommended way is submitting the driver for MS attestation and resigning (cross signing) by MS (via sysdev portal). After resigning the problem will be solved. Just for accuracy's sake, the attestation process is not "cross signing". Microsoft is appending their own certificate chain to your binaries in addition to yours. In "cross signing," you still have a single certificate chain, but it gets extended to "cross over" from your certificate authority to Microsoft's. When you sign a driver, the certificate chain essentially looks like: I am Joe Digicert's code-signing vouches for Joe Digicert's master authority trusts Digicert's code-signing authority After cross-signing, that becomes: I am Joe Digicert's code-signing vouches for Joe Digicert's master authority trusts Digicert's code-signing authority Microsoft's code verification root trusts Digicert's master authority Microsoft's code verification root trusts Microsoft's code verification root and the kernel looks for that last one. But with attestation, that becomes: I am Joe Digicert's code-signing vouches for Joe Digicert's master authority trusts Digicert's code-signing authority Microsoft's code verification root trusts Digicert's master authority I am also Microsoft Microsoft's code verification root vouches for Microsoft Microsoft's code verification root trusts Microsoft's code verification root -- Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 02:29.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license